diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf
index 6bdf2bc..3e3c542 100644
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@@ -3,24 +3,27 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
   bind_secret_id = false
   token_policies = [
     "default_access",
+    "approle_token_create",
+    "auth/approle/approle_role_admin",
+    "auth/approle/approle_role_login",
+    "auth/kubernetes/k8s_auth_admin",
+    "auth/ldap/ldap_admin",
     "auth/token/auth_token_create",
     "auth/token/auth_token_self",
     "auth/token/auth_token_roles_admin",
-    "auth/approle/approle_role_admin",
-    "auth/approle/approle_role_login",
-    "approle_token_create",
-    "auth/kubernetes/k8s_auth_admin",
-    "auth/ldap/ldap_admin",
+    "kubernetes/au/config_admin",
+    "kubernetes/au/roles_admin",
+    "kv/service/glauth/services/svc_vault_read",
+    "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
+    "kv/service/kubernetes/au/syd1/service_account_jwt/read",
     "pki_int/pki_int_roles_admin",
     "pki_root/pki_root_roles_admin",
     "ssh-host-signer/ssh-host-signer_roles_admin",
     "sshca/sshca_roles_admin",
-    "kv/service/glauth/services/svc_vault_read",
     "sys/sys_auth_admin",
     "sys/sys_mounts_admin",
     "sys/sys_policy_admin",
     "transit/keys/admin",
-    "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
   ]
   token_ttl     = 60
   token_max_ttl = 120
diff --git a/auth_backend_kubernetes.tf b/auth_backend_kubernetes.tf
index 91695a5..2b720a2 100644
--- a/auth_backend_kubernetes.tf
+++ b/auth_backend_kubernetes.tf
@@ -6,23 +6,8 @@ resource "vault_auth_backend" "kubernetes" {
   path = "kubernetes"
 }
 
-locals {
-  kubernetes_ca_cert = <<-EOT
------BEGIN CERTIFICATE-----
-MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
-cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
-NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
-SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
-a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
-/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
-fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
-NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
------END CERTIFICATE-----
-EOT
-}
-
 # Data source to read the token_reviewer_jwt from Vault KV
-data "vault_kv_secret_v2" "token_reviewer_jwt" {
+data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
   mount = "kv"
   name  = "service/kubernetes/au/syd1/token_reviewer_jwt"
 }
@@ -31,8 +16,8 @@ data "vault_kv_secret_v2" "token_reviewer_jwt" {
 resource "vault_kubernetes_auth_backend_config" "config" {
   backend                           = vault_auth_backend.kubernetes.path
   kubernetes_host                   = "https://api-k8s.service.consul:6443"
-  kubernetes_ca_cert                = local.kubernetes_ca_cert
-  token_reviewer_jwt                = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
+  kubernetes_ca_cert                = local.kubernetes_ca_cert_au_syd1
+  token_reviewer_jwt                = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
   disable_iss_validation            = true
   use_annotations_as_alias_metadata = true
 }
diff --git a/engine_k8s_au_syd1.tf b/engine_k8s_au_syd1.tf
new file mode 100644
index 0000000..40433fa
--- /dev/null
+++ b/engine_k8s_au_syd1.tf
@@ -0,0 +1,48 @@
+# Data source to read the service_token_jwt from Vault KV
+data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
+  mount = "kv"
+  name  = "service/kubernetes/au/syd1/service_account_jwt"
+}
+
+resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
+  path                      = "kubernetes/au/syd1"
+  description               = "kubernetes secret engine for au-syd1 cluster"
+  default_lease_ttl_seconds = 600
+  max_lease_ttl_seconds     = 86400
+  kubernetes_host           = "https://api-k8s.service.consul:6443"
+  kubernetes_ca_cert        = local.kubernetes_ca_cert_au_syd1
+  service_account_jwt       = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
+  disable_local_ca_jwt      = false
+}
+
+resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
+  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
+  name                          = "media-apps-operator"
+  allowed_kubernetes_namespaces = ["media-apps"]
+
+  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
+}
+
+resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
+  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
+  name                          = "cluster-operator"
+  allowed_kubernetes_namespaces = ["*"]
+
+  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
+}
+
+resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
+  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
+  name                          = "cluster-admin"
+  allowed_kubernetes_namespaces = ["*"]
+
+  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
+}
+
+resource "vault_kubernetes_secret_backend_role" "cluster_root" {
+  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
+  name                          = "cluster-root"
+  allowed_kubernetes_namespaces = ["*"]
+
+  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
+}
diff --git a/policies/kubernetes/au/config_admin.hcl b/policies/kubernetes/au/config_admin.hcl
new file mode 100644
index 0000000..fa245ed
--- /dev/null
+++ b/policies/kubernetes/au/config_admin.hcl
@@ -0,0 +1,3 @@
+path "kubernetes/au/+/config" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
diff --git a/policies/kubernetes/au/roles_admin.hcl b/policies/kubernetes/au/roles_admin.hcl
new file mode 100644
index 0000000..cff7bd2
--- /dev/null
+++ b/policies/kubernetes/au/roles_admin.hcl
@@ -0,0 +1,6 @@
+path "kubernetes/au/+/roles" {
+  capabilities = ["list"]
+}
+path "kubernetes/au/+/roles/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
diff --git a/policies/kubernetes/au/syd1/creds/cluster-admin.hcl b/policies/kubernetes/au/syd1/creds/cluster-admin.hcl
new file mode 100644
index 0000000..e7aa0cb
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/cluster-admin.hcl
@@ -0,0 +1,3 @@
+path "kubernetes/au/syd1/creds/cluster-admin" {
+  capabilities = ["update"]
+}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/cluster-operator.hcl b/policies/kubernetes/au/syd1/creds/cluster-operator.hcl
new file mode 100644
index 0000000..b0d507a
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/cluster-operator.hcl
@@ -0,0 +1,3 @@
+path "kubernetes/au/syd1/creds/cluster-operator" {
+  capabilities = ["update"]
+}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/cluster-root.hcl b/policies/kubernetes/au/syd1/creds/cluster-root.hcl
new file mode 100644
index 0000000..6dd2f14
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/cluster-root.hcl
@@ -0,0 +1,3 @@
+path "kubernetes/au/syd1/creds/cluster-root" {
+  capabilities = ["update"]
+}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/media-apps-operator.hcl b/policies/kubernetes/au/syd1/creds/media-apps-operator.hcl
new file mode 100644
index 0000000..7ebabbb
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/media-apps-operator.hcl
@@ -0,0 +1,3 @@
+path "kubernetes/au/syd1/creds/media-apps-operator" {
+  capabilities = ["update"]
+}
\ No newline at end of file
diff --git a/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl
new file mode 100644
index 0000000..4712a2a
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
+  capabilities = ["read"]
+}
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml b/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
new file mode 100644
index 0000000..80ca051
--- /dev/null
+++ b/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
@@ -0,0 +1,23 @@
+---
+rules:
+  - apiGroups:
+      - ""
+      - "postgresql.cnpg.io"
+      - "cert-manager.io"
+      - "rbac.authorization.k8s.io"
+      - "batch"
+      - "secrets.hashicorp.com"
+      - "storage.k8s.io"
+      - "apps"
+      - "apiextensions.k8s.io"
+      - "externaldns.k8s.io"
+      - "autoscaling"
+      - "networking.k8s.io"
+      - "purelb.io"
+      - "nfd.k8s-sigs.io"
+      - "policy"
+      - "metrics.k8s.io"
+    resources:
+      - "*"
+    verbs:
+      - "*"
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml b/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
new file mode 100644
index 0000000..480d36b
--- /dev/null
+++ b/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
@@ -0,0 +1,25 @@
+---
+rules:
+  - apiGroups:
+      - ""
+      - "postgresql.cnpg.io"
+      - "cert-manager.io"
+      - "rbac.authorization.k8s.io"
+      - "batch"
+      - "secrets.hashicorp.com"
+      - "storage.k8s.io"
+      - "apps"
+      - "apiextensions.k8s.io"
+      - "externaldns.k8s.io"
+      - "autoscaling"
+      - "networking.k8s.io"
+      - "purelb.io"
+      - "nfd.k8s-sigs.io"
+      - "policy"
+      - "metrics.k8s.io"
+    resources:
+      - "*"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml b/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml
new file mode 100644
index 0000000..8f6995c
--- /dev/null
+++ b/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml
@@ -0,0 +1,8 @@
+---
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
diff --git a/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml b/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml
new file mode 100644
index 0000000..0b4459e
--- /dev/null
+++ b/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml
@@ -0,0 +1,49 @@
+---
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "pods"
+      - "services"
+      - "configmaps"
+      - "secrets"
+      - "endpoints"
+      - "persistentvolumeclaims"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+      - ""
+    resources:
+      - "pods/log"
+    verbs:
+      - "get"
+      - "list"
+  - apiGroups:
+      - ""
+    resources:
+      - "pods/exec"
+    verbs:
+      - "create"
+  - apiGroups:
+      - "apps"
+    resources:
+      - "deployments"
+      - "replicasets"
+      - "statefulsets"
+      - "daemonsets"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "patch"
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - "ingresses"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
diff --git a/shared_locals.tf b/shared_locals.tf
new file mode 100644
index 0000000..ef4d839
--- /dev/null
+++ b/shared_locals.tf
@@ -0,0 +1,14 @@
+locals {
+  kubernetes_ca_cert_au_syd1 = <<-EOT
+-----BEGIN CERTIFICATE-----
+MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
+cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
+NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
+a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
+/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
+fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
+NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
+-----END CERTIFICATE-----
+EOT
+}